Introduction
The African Union Peace and Security Council (PSC) has adopted in late January 2024 its much-anticipated and first-ever Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace (‘Common African Position’ or CAP). The CAP reflects the views of the AU’s 55 member States. Given the fact that only 30 or so other states in the rest of the world published their national positions regarding the applicability of international law in cyberspace, the CAP provides an exceptionally significant source for identifying international law on the topic. Much of the discussions on the CAP since its adoption have centred on its drafting process, and on selected themes, such as principles of territorial sovereignty, non-intervention, and non-use of force, and specific issues, such as sovereignty in cyber space. In this post, we seek to explore the ways in which the CAP treats another important aspect of the applicability of international law in cyberspace – the CAP’s approach to the application of international human rights law in cyberspace and, in particular, to the emergence of digital human rights.
The raison d’être for a continental position in the digital age
Before focusing on the treatment of digital human rights in the CAP, we briefly address the motivations of the PSC in developing a common position on the applicability international law in cyberspace. There are at least three major rationales for the consolidation of a continental position on such a matter. First, Africa is on the move to digitally transform itself and seize the opportunities presented by new and emerging information and communication technologies. The adoption of the CAP constitutes – as mentioned in its preambular ¶11 – another step towards implementing the commitment expressed by the AU in the Digital Transformation Strategy for Africa, specifically “to harness digital technologies and innovation to transform African societies and economies to promote Africa’s integration, generate inclusive economic growth, stimulate job creation, bridge the digital divide, and eradicate poverty for the continent’s socio-economic development and ensure Africa’s ownership of the modern tools of digital management.”
Second, the adoption of the CAP seeks to provide much-needed clarity for States with relation to their obligations in cyberspace, including in the field of human and peoples’ rights (see preambular ¶ 3). The third rationale relates to the unique technical characteristics of cyberspace and the distinctive nature of threats posed by both State and non-State actors, which invites a dialogue among various stakeholders at national, regional, and international levels through an inclusive and multilateral process (see here). The participation of 55 African states in the adoption of CAP under the auspices of the AU reflects, in this regard, the expectation that the African continent will play an active role in the international governance of cyberspace. The insistence on making Africa’s voice on these matters heard is implicitly reflected in the principled position expressed in preambular ¶ 6 – “All States have an equal right to participate in the articulation of rules of international law that apply in cyberspace and the views of all States have equal weight and value in this process”. The active and comprehensive participation of African states in this developing area of international law also has broader global governance implications, as it brings legitimacy and inclusivity to the governance of cyberspace.
The need for process-legitimacy was further underscored by AU Special rapporteur, Mohammed Helal, who noted the involvement of independent African experts in the process of drafting the CAP itself: “Furthermore, to broaden participation in the drafting of the CAP and to ensure that it enjoyed greater legitimacy as an expression of African views on international law and cyberspace, several leading African jurists were invited to join the process.”
Key contributions for the development of digital human rights
As we explain below, the CAP has made a notable contribution for the development of a global vision for digital human rights. For the purpose of this post, we define digital human rights as the application of international human rights law in the digital realm, whose development can be divided into three “generations”: (1) the adaptation of existing rights to online environments; (2) the creation of new digital rights, such as the right to access the Internet, the right to be forgotten and the right not to be subjected to automated decisions; and (3) the introduction of new rights and duty holders (e.g., virtual persons and online platforms exercising quasi-sovereign power).
Firstly, the CAP expressly endorses the first generations of digital human rights, i.e., the applicability of “the same rights people have offline must be protected online” doctrine. The CAP clearly sets this out it under ¶ 54:
“The African Union affirms that international human rights law (IHRL), whether codified in universal or regional conventions to which States are party or embodied in customary international law, applies in cyberspace, and also reaffirms the universality, indivisibility, interdependence, and interrelation of all human rights and fundamental freedoms, including the right to development.” (emphasis added)
This is congruent with the approach adopted in a number of UN Resolutions – most recently in the Global Digital Compact – which affirmed the online applicability of offline human rights (¶ 8(c)):
“This Compact is anchored in international law, including international human rights law. All human rights, including civil, political, economic, social and cultural rights, and fundamental freedoms, must be respected, protected and promoted online and offline. Our cooperation will harness digital technologies to advance all human rights, including the rights of the child, the rights of persons with disabilities and the right to development;” (emphasis added)
It also coincides with Rule 34 of the Tallinn Manual 2.0 which clearly extends and applies international human rights law (IHRL) to cyber-related activities, as:
“The International Group of Experts agreed that international human rights law, whether found in customary or treaty law, applies in relation to cyber-related activities. As noted, (…) the principle that the same rights people have offline are to be protected online has been asserted repeatedly in numerous multilateral and multi-stakeholder fora…” (emphasis added)
It may be noted that the proposition that “the same rights people have offline must be protected online” is reaffirmed in dozens of national policy statements on international law and cyber operations put forward by multiple countries (most, but not all of which, hailing from the Global North), such as Austria, Canada, Costa Rica, the Czech Republic, Denmark, Finland, Ireland, Italy, Japan, the Netherlands, Norway, Poland, Romania, Sweden, Switzerland, the United Kingdom (2021), and the United States (2021).
Significantly, the CAP reiterates earlier AU positions on the question of applicability of international human rights law in digital environments. The African Commission on Human and Peoples’ Rights (‘ACmHPR’) embraced a similar approach in its 2019 Declaration of Principles on Freedom of Expression and Access to Information in Africa. For example, according to Principle 5 of the Declaration, the right to freedom of expression, safeguarded by Article 9 of the African Charter on Human and Peoples’ Rights (‘ACHPR’, also known as the ‘Banjul Charter’), is equally applicable to online expression. According to Principles 40-41, which deal with personal information and communication surveillance, the same applies for the right to privacy. This approach to digital human rights, which stipulates that the rights individuals possess offline should be equally upheld online (see here, here and here), has been described by one of the authors of this post as ‘normative equivalency’, inviting the adaptation and transposition of existing human rights to the digital realm.
While the second generation of digital human rights were not expressly mentioned in the CAP, it implicitly supports new digital human rights such as the right to access the Internet. Specifically, the CAP seeks under ¶ 58 to locate the need to bridge digital divide in a human rights context, through promoting access to the Internet especially for disempowered or marginalised individuals and groups:
The African Union highlights the importance of bridging the digital divide to ensuring the full enjoyment of human rights. In this regard, States shall contribute to further empowering women and girls. States shall also further promote the full enjoyment of the benefits of ICTs by persons with disabilities by ensuring that the design, development, and production of ICTs incorporates assistive and adaptive technologies that are accessible to persons with disabilities. (emphasis added)
To be sure, the language of the CAP does not take a firm position on the perennial debate as to whether access to the internet should be regarded as a stand-alone human right – a question which remains unsettled in the international human rights law (see, e.g., the former UN Special Rapporteur Frank La Rue’s report, ¶ 80 and the Tallinn Manual 2.0 p.195) and the academic literature thereon (e.g. see here, here, and here). Still, we note, in this regard, that another important AU instrument – the 2014 Convention on Cyber Security and Personal Data Protection – lays the groundwork for the development of new digital human rights, such as the right to be forgotten (or a right to erasure) and the right not to be subject to automated decisions.
Finally, the CAP supports the emergence of a third generation of digital rights, by requiring that duties be placed on businesses operating in the digital sector. In doing so, it articulates the obligation both of States and non-State actors to respect and protect human rights in the cyberspace. The CAP acknowledges this under ¶56 in the following terms:
“The African Union affirms that States shall protect individuals and peoples within their territory or in areas under their jurisdiction against violations of human rights that are committed by third parties, especially business enterprises operating in the ICT sector. Moreover, business enterprises that operate in the ICT sector have a responsibility to respect and protect human rights, especially the right to privacy and the freedom of expression, including by exercising due diligence to identify, prevent, mitigate, and account for any adverse human rights impacts of their activities.” (emphasis added)
The states’ duty to protect and the digital businesses’ responsibility to respect human rights in the CAP mirror the principles outlined in the UN Guiding Principles on Business and Human Rights.
Missed opportunities
The CAP is significant in that it gives effect to the right of African states to actively and effectively participate in the development of international law applicable in cyberspace, including international human rights law in cyberspace. This a fast-developing field of international law, whose early growth has been dominated by countries from the Global North, threatening to repeat therein law-creation pathologies that have afflicted international law over the years. The CAP demonstrates that AU member states not only deserve a seat around the table in which decisions regarding the application of international law in cyberspace are made, but that the AU has the unique capacity to speak in one voice, in the name of an entire continent, about these difficult issues, in a manner that is not likely to be replicated in other regions of the world.
Still, the CAP also represents a missed opportunity for the AU to assume a trailblazing role in the development of the field of international human rights law in cyberspace, especially in areas in which Africa has a unique experience and perspective. First, with respect to the need for new digital rights (second generation rights), the CAP is ambiguous. This is despite the leadership shown by the AU in adopting the 2014 Convention, which enumerates important digital rights that have the potential to become universal digital human rights, before comparable regional instruments on digital rights, such as the EU General Data Protection Regulation (GDPR) and the Council of Europe Convention 108+ were adopted. The obvious concern of African countries with the slowness of the process of closing the digital divide and the acknowledged link in the CAP between access to technology and enjoyment of human rights, should encourage them to consider formulating claims to facilitate access to new and emerging technology, including open, secure, stable and accessible access to the Internet, as independent human rights.
Second, the CAP represents a missed opportunity to clarify the position of the AU member states on the issue of extra-territorial human rights obligations. This is a dimension which is critical to the development of international human rights law in cyberspace: While offline human rights are primarily based on the exercise of national jurisdiction in the territory of different states (with some notable exceptions), the borderless nature of the Internet and technology transfers, poses unique challenges for the application and enforcement of digital human rights (see here, here and here). Yet, the position articulated by the CAP in this regard does not make the point strongly and clearly. CAP ¶53 only provides in this regard that “States shall respect, protect, and ensure the human rights of individuals and peoples on their territory or under their jurisdiction that relate to the peaceful use of ICTs in cyberspace, including by protecting such individual and collective rights against infringements by third parties and non-State actors.
Notably, this formulation is weaker compared to broader positions on extra-territoriality adopted by Costa Rica and Switzerland, which strive to align responsibility for human rights violations with effective control by states over the ability of individuals to enjoy their human rights, wherever they are located. The formulation found in the CAP is particularly disappointing when compared to the more precise language noted above used with regard to the related issue of corporate responsibility. Note that the allusion in the CAP to “transnational interception of communication” does suggest that the AU member states share, in principle, the same functional approach to extraterritoriality as Costa Rica and Switzerland. But unfortunately, they have not articulated their position on the matter in sufficiently clear terms.
Finally, and most importantly, it is regrettable that the one regional system that prides itself on developing an approach to human and peoples’ rights that is communal in its orientation, did not clearly articulate how the communal dimensions of international human rights law need to be protected in cyberspace. While the CAP mentions briefly the relations holding between an “open, secure, stable, accessible, and peaceful” cyberspace and the right to sustainable development, and between developing scientific and technological capabilities in the field of ICT and the enjoyment of economic, social and cultural rights (CAP ¶53 ), it does not emphasise the human rights dimension of collective values such as African cultural identify and heritage, a sense of belonging to a community and individual participation in self-determination and development, which might be adversely affected by activities in cyberspace.
Concluding thoughts
Given that the views expressed in the CAP are a non-exhaustive articulation of the views of the member states of the African Union regarding some of the salient questions relating to the application of international law in cyberspace (see ¶¶ 10 & 68), we argue that AU should constantly update its positions in light of technological advancements, new cyber threats and challenges, the communal conception of human rights in Africa and lived realities in the Continent. In a 2021 resolution (¶2), the African Commission on Human and People’s Rights emphasised that African values and norms must be seriously considered in formulating regulatory frameworks for digital technologies and AI governance. This approach is necessary to address the global epistemic of injustice that still exists. Such African contexts and approaches should be given serious consideration in future restatements.
